Privacy Policy
Last Updated: May 19, 2026 · Effective Date: May 19, 2026
Contents
- 1. Introduction
- 2. Accountability and Our Role
- 3. Information We Collect
- 4. How We Use Personal Information
- 5. Automated Processing and Human Assistance
- 6. Call Recording Notice
- 7. Disclosure of Personal Information
- 8. Service Providers and International Data Transfers
- 9. Data Retention
- 10. Security Safeguards
- 11. Data Breach Response
- 12. Your Privacy Rights
- 13. Cookies and Similar Technologies
- 14. Children's Privacy
- 15. Contact Us
- 16. Changes to This Privacy Policy
1. Introduction
Kiro ("Kiro," "we," "us," or "our") provides an AI-powered receptionist service that handles phone calls and chat messages on behalf of small businesses (each, a "Business Client"). This service includes an AI voice agent, an AI chatbot, appointment and reservation handling, callback requests, and related notifications (collectively, the "Service").
This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you:
- Call or chat with an AI assistant operated through the Service on behalf of a Business Client (an "End Customer"); or
- Use the Service as a Business Client or an authorized user of a Business Client account.
By using the Service, contacting a Business Client through the Service, or continuing a recorded call after the recording notice, you acknowledge the practices described in this Privacy Policy.
The Service is currently offered to businesses and customers in Canada and the United States. It is not directed at individuals located outside Canada and the United States.
We are committed to handling personal information in accordance with applicable privacy laws, including:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
- Alberta's Personal Information Protection Act (PIPA) and British Columbia's PIPA, where applicable;
- Quebec's Act respecting the protection of personal information in the private sector ("Quebec Law 25"), where applicable;
- Canada's Anti-Spam Legislation (CASL); and
- The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and other U.S. state privacy laws, where applicable.
2. Accountability and Our Role
2.1 Privacy Officer
Kiro has designated a Privacy Officer who is responsible for our compliance with this Privacy Policy and applicable privacy laws. You may contact the Privacy Officer using the details in Section 15.
2.2 Our role: Business Client as controller, Kiro as service provider
It is important to understand the two roles involved in the Service.
The Business Client is the data controller. When you call or chat with an AI assistant, you are contacting a specific business (for example, a restaurant, salon, clinic, or other service provider). That business determines what information is collected from End Customers and the purposes for which it is used. The Business Client is responsible for its own privacy practices and for obtaining any consents required for its purposes.
Kiro acts as a service provider (data processor). Kiro processes End Customer personal information on behalf of, and under the instructions of, the Business Client in order to deliver the Service. Kiro does not use End Customer personal information for its own independent purposes, except that Kiro creates and uses aggregated and de-identified information as described in Section 4.4. Aggregated and de-identified information does not identify any individual and is not personal information.
If you have questions about how a specific Business Client uses your information, you should also contact that business directly.
3. Information We Collect
3.1 Information from End Customers (callers and chat users)
When you interact with an AI assistant through the Service, we may collect, on behalf of the Business Client:
- Identification and contact information — your name, phone number, and (if provided) email address;
- Voice recordings and transcripts — audio recordings of phone calls and text transcripts generated from them;
- Chat messages — the content of your messages with the AI chatbot;
- Request details — reservation, appointment, order, callback, service request, waitlist, or complaint information, including dates, times, party size, and similar details;
- Sensitive details you choose to provide — additional information you choose to share, which may include sensitive information such as allergies, accessibility needs, or health-related details (for example, when contacting a clinic);
- Call metadata — phone number, call time, call duration, and similar technical information.
You are not required to provide sensitive information. Please share only what is necessary for your request. The notice you receive at the start of each call — that the call is recorded and that recorded information will be processed to handle your request — also serves as notice that any sensitive details you choose to share during the call will be recorded and processed for that purpose. You may end the call, omit sensitive details, or contact the Business Client by another method at any time.
3.2 Information from Business Clients
When a Business Client uses the Service, we collect business contact details, owner or authorized-user name, email, phone number, business address, business hours, menu or service details, and account login information.
3.3 Information collected automatically
When you use our chatbot or websites, we may collect limited technical information such as IP address, browser type, device information, and usage data, through cookies or similar technologies, to operate and secure the Service. See Section 13.
4. How We Use Personal Information
4.1 To deliver the Service on behalf of the Business Client
- Processing reservations, appointments, orders, callbacks, service requests, waitlist entries, and complaints;
- Sending confirmation and follow-up messages by SMS or email related to your request (see Section 4.5);
- Operating the AI voice agent and chatbot so you can be served.
4.2 To operate, secure, and support the Service
- Authentication, fraud prevention, troubleshooting, and technical administration;
- Detecting and preventing misuse, security incidents, and abuse.
4.3 To provide quality and insights to the Business Client
- Reviewing interactions for quality assurance for that Business Client;
- Generating statistics, reports, and insights for that Business Client about that Business Client's own activity (for example, call volume, peak hours, reservation trends, and customer patterns).
4.4 Aggregated and de-identified information
We create aggregated and de-identified information — statistical and pattern information generated using methods intended to ensure that the result cannot reasonably be used, alone or in combination with other information, to identify or be linked to any individual. This activity is performed in accordance with our service provider agreements with Business Clients. We may use the resulting aggregated and de-identified information to operate, evaluate, and improve the Service. We implement technical and business safeguards designed to prevent re-identification, we do not attempt to re-identify de-identified information, and we contractually prohibit our service providers from doing so.
4.5 Communications
We send transactional messages — such as reservation or appointment confirmations and follow-ups — that relate directly to a request you made. These transactional messages are not commercial electronic messages and are exempt under CASL Section 6(6).
We do not send you marketing or promotional messages based on your interaction with an AI assistant. Your contacting a Business Client through the Service does not create consent to receive marketing messages. Marketing messages are sent only where the sender (normally the Business Client) has obtained your separate, express consent. Any commercial electronic message will identify the sender, provide contact information, and include an unsubscribe mechanism that remains valid for at least 60 days and is processed without delay and in any event within 10 business days, consistent with CASL.
4.6 Limits on use
We use personal information only for the purposes identified in this Policy or for purposes for which consent is obtained. We do not use call recordings or transcripts for unrelated purposes.
4.7 No use for AI model training; no biometric use
We do not use End Customer personal information, call recordings, or transcripts to train publicly available or third-party foundational AI models. Our AI service providers process this information to generate responses but, under their applicable terms for the interfaces we use, do not use it to train their models. We do not use voice recordings for biometric identification, voiceprinting, or voice fingerprinting.
5. Automated Processing and Human Assistance
The Service uses artificial intelligence to understand requests and generate responses. This is automated processing.
If you are not satisfied with the AI assistant, or prefer to speak with a person, you may request human assistance. The Service is designed to let you reach the Business Client or leave a callback request so that a person can follow up. The AI assistant does not make decisions that produce legal or similarly significant effects about you.
6. Call Recording Notice
Phone calls handled through the Service may be recorded and transcribed for quality assurance, service delivery, internal staff and service training, and record-keeping purposes. The references to "training" in this section refer to internal human review for quality and service-improvement purposes only, and do not mean the use of recordings to train artificial-intelligence models (see Section 4.7). At the start of each call you are informed that the call may be recorded, that you are speaking with an AI assistant, and that information you share during the call — including any sensitive details necessary for your request — will be processed to handle that request.
If you do not wish to be recorded, you may end the call and contact the Business Client by another method (for example, visiting in person, using a website, or sending a written message). Continuing the call after the recording notice indicates your consent to the recording for the stated purposes. If you end the call at the recording notice, any partial information collected up to that point is not used to fulfill a request and is deleted or de-identified in the ordinary course.
7. Disclosure of Personal Information
We disclose personal information only as follows:
- To the relevant Business Client — the business you contacted receives the information necessary to handle and follow up on your request;
- To service providers (sub-processors) — we use trusted third-party providers to operate the Service, as described in Section 8;
- For legal reasons — where required by law, regulation, or valid legal process (such as a court order or subpoena). Where a request is discretionary rather than legally required, we evaluate it before responding and disclose only what is appropriate;
- In a business transfer — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.
We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws.
8. Service Providers and International Data Transfers
The Service relies on third-party providers that store and process personal information on servers located in the United States. As of the effective date of this Policy, our service providers and the functions they perform are:
- Cloud hosting and database — application hosting and database storage (Railway; Supabase; Vercel for our websites);
- Telephony — phone call connection and call recording (Twilio);
- AI processing — natural-language understanding and response generation (Anthropic);
- Voice and transcription — text-to-speech and speech-to-text (OpenAI);
- Messaging — SMS and email delivery (Twilio; Resend).
Because these providers operate in the United States, your personal information is processed in, and subject to the laws of, the United States, including potential lawful access by U.S. courts, law enforcement, and government authorities (including under the U.S. CLOUD Act and similar legal authorities). We require our service providers, by contract, to protect personal information at a level comparable to this Policy and applicable law, and to use it only to provide services to us.
If you have questions about the collection, use, disclosure, or storage of personal information by our service providers outside Canada, or would like an up-to-date list of our service providers, you may contact our Privacy Officer (Section 15).
If we add or change a service provider that processes personal information, we will update this Section and, where required, notify Business Clients.
By using the Service, you acknowledge that your personal information will be transferred to and processed in the United States.
9. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this Policy, to comply with legal and accounting obligations, to resolve disputes, and to enforce our agreements. Our standard retention periods are:
- Call recordings — retained for 90 days by default, then deleted or de-identified, unless a longer period (up to 12 months) is agreed with the Business Client for a legitimate, identified purpose, or a longer period is required by law.
- Call transcripts and chat transcripts — retained for up to 12 months, then deleted or de-identified, unless a longer period is required by law.
- Reservation, appointment, and request data — split as follows:
- Transaction and financial records (such as service or order summaries, dates, amounts) retained for up to 7 years, consistent with Canadian tax and business record-keeping obligations.
- Personally identifying details associated with those records (such as names, contact details, allergies, accessibility notes, and special requests) are minimized or de-identified after 12 months, unless retention for a longer period is required for ongoing service to the End Customer or by law.
- Account data (Business Clients) — retained for the duration of the account relationship and deleted or de-identified within 90 days after the relationship ends, unless a longer period is required by law.
- Aggregated and de-identified information — may be retained indefinitely because it does not identify any individual.
These periods may be adjusted with a Business Client where a different period is required for a legitimate purpose or by law. When personal information is no longer required, it is securely deleted or de-identified.
10. Security Safeguards
We use administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, use, disclosure, copying, or modification. These measures include access controls and authentication, encrypted connections (TLS) for data in transit, restricted database access, and use of reputable infrastructure providers.
No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.
11. Data Breach Response
If a breach of security safeguards involving personal information occurs, we will respond in accordance with applicable law.
- Where a breach creates a real risk of significant harm to an individual, we will, as applicable, report the breach to the Office of the Privacy Commissioner of Canada and/or the relevant provincial commissioner, and notify affected individuals as soon as feasible.
- As a service provider, where a breach affects personal information processed on behalf of a Business Client, we will notify the affected Business Client without undue delay so that it can meet its own obligations, and we will cooperate in the response.
- We maintain records of breaches of security safeguards as required by law.
12. Your Privacy Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you;
- Correct inaccurate or incomplete personal information;
- Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual limits (this may affect our ability to provide the Service);
- Request deletion of your personal information;
- Opt out of marketing communications at any time;
- Challenge our compliance with this Policy or applicable privacy law.
12.1 How to exercise your rights
Because the Business Client is the data controller, requests relating to End Customer information may be directed either to the Business Client or to Kiro. If you contact Kiro, we will work with the relevant Business Client to respond. To protect your privacy, we will take reasonable steps to verify your identity before responding. An authorized agent may submit a request on your behalf with proof of authorization.
We will respond within the timeframes required by applicable law (generally within 30 days under PIPEDA, and within 45 days under California law, in each case subject to permitted extensions).
12.2 Challenging compliance
If you have a concern or complaint about our handling of personal information, please contact our Privacy Officer first (Section 15). We will investigate and respond. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada, or the Information and Privacy Commissioner of Alberta or British Columbia, where applicable.
12.3 California residents (CCPA/CPRA)
If you are a California resident, you have the right to know, access, correct, and delete personal information, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. You also have the right to limit the use of sensitive personal information; we use sensitive personal information only as necessary to provide the Service and for the purposes described in this Policy, and not for inferring characteristics about you. We will not discriminate against you for exercising your rights.
The categories of personal information we collect, the sources, the purposes, and the categories of recipients are described in Sections 3, 4, 7, and 8 of this Policy.
12.4 Quebec residents (Quebec Law 25)
If you are a resident of Quebec, in addition to the rights above you may have the right to data portability (to receive certain personal information in a structured, commonly used technological format), and rights regarding automated decision-making, including the right to be informed of and to submit observations about a decision based exclusively on automated processing. You may also contact the Commission d'accès à l'information du Québec. The Service is currently provided in English; a French-language version of this Policy will be made available before the Service is actively offered to Quebec-based Business Clients.
12.5 For Business Clients
If you are a Business Client, you may access, correct, and delete your account information, and you may request export or deletion of your data upon termination of your account, subject to the terms of your service agreement with Kiro and to legal retention requirements. These matters may also be addressed in your separate service agreement or data processing agreement with Kiro.
13. Cookies and Similar Technologies
Our chatbot and websites may use cookies and similar technologies to operate the Service, remember preferences, maintain security, and understand usage. You can control cookies through your browser settings. Disabling certain cookies may affect how the Service functions.
14. Children's Privacy
The Service is intended for use by adults for general business communications and is not directed at children or minors. We do not knowingly collect personal information from minors — as defined under applicable law (for example, persons under 13 under the U.S. Children's Online Privacy Protection Act, and persons under 14 under Quebec Law 25) — in a manner requiring verifiable parental or guardian consent under applicable law.
Where a Business Client operates a service directed at or serving minors (for example, a pediatric clinic), the Business Client, as the data controller, is responsible for ensuring that appropriate parental or guardian consent is obtained for the collection and use of information about minors in accordance with applicable law.
If you believe a minor has provided personal information through the Service, please contact us so we can take appropriate action.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, contact our Privacy Officer:
If you are an End Customer with questions about how a specific business uses your information, please also contact that business directly.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an updated Policy takes effect indicates your acknowledgment of the changes.